NIST 800-53 r5 · Controls catalogue · Family AT
AT-3Role-based Training
Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ insert: param, at-3_prm_1 }}: Before authorizing access to the system, information, or performing assigned duties, and {{ insert: param, at-03_odp.03 }} thereafter; and When required by system changes; Update role-based training content {{ insert: param, at-03_odp.04 }} and following {{ insert: param, at-03_odp.05 }} ; and Incorporate lessons learned from internal or external security incidents or breaches into role-based training.
Last updated: 19 May 2026 14:18 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (10)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,905 | Security training teaches access control policies and enforcement, reducing improper access control implementations. |
CWE-287 | Improper Authentication | 4,757 | Training on authentication mechanisms and best practices decreases the occurrence of improper authentication. |
CWE-269 | Improper Privilege Management | 2,936 | Training covers proper privilege management practices, making incorrect privilege assignments less likely. |
CWE-798 | Use of Hard-coded Credentials | 1,961 | Security training explicitly warns against hard-coded credentials, lowering their use in systems. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,837 | Training on permission management reduces incorrect permission assignments for critical resources. |
CWE-285 | Improper Authorization | 1,252 | Role-based training addresses authorization requirements and checks, lowering the risk of improper authorization. |
CWE-319 | Cleartext Transmission of Sensitive Information | 1,051 | Role-based training covers secure transmission methods, mitigating cleartext transmission of sensitive data. |
CWE-312 | Cleartext Storage of Sensitive Information | 924 | Training on secure data handling discourages cleartext storage of sensitive information. |
CWE-311 | Missing Encryption of Sensitive Data | 552 | Privacy and security training stresses encryption of sensitive data, reducing missing encryption weaknesses. |
CWE-250 | Execution with Unnecessary Privileges | 311 | Role-based training on least privilege principles reduces the chance personnel assign or retain unnecessary privileges. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||